Dear Vishal,

• OS version of the Server : Server 2022
•         SQL version: 2022
•         Location of both; (physical, virtual): Virtual / Azure IaaS - Windows VM
•         Will they be on the same server machine? : Yes
•         Authentication mode: Local, Azure AD, or Windows AD: Local for Tenant Admin, Azure AD for Global Admin
•         Intel® EMA software version: Intel® EMA v1.14.3.0
•         Number of endpoints to be provisioned: 200
•         Will remote access to BIOS be necessary? : Yes (our only reason for this product)
•         Location of endpoints: local or remote.: Local and Working from Home/Remote
•         FQDN: ema.alphatrains.eu

---

When I disable WiFi - It works:

When I enable WiFi it becomes stuck on 2 Clients (Dell Latitude 7440 and Dell Latitude 7450)

Another client / showing a fancy Intel Logo the other one doesnt but result is the same:

Log file of the Managebility Server & Log from Client attached

I digged a bit deeper and found this. I configured some dummy WiFi, "AlphaTrains-Test" with 12345678 as password. This synced just fine:

Only difference is that I tried WPA CCMP + Simple Password. The profile syncs perfectly to the client. 

As soon as I configure WPA2-PSK with our production SSID and complex password, the device seems to fail.

Why would that be? Surely the devices should support WPA2-PSK.
Also I noticed that if you login to the local EMA web-interface the settings are pushed properly:

CIRA still shows as disconnected, even though I deployed this AlphaTrains-Test WiFi..

So there seems to be 2 issues: CIRCA never connecting, also not when the client is in LAN or WiFi on OS-Level, and WiFi Profile seems to be too complex for AMT?

Hello AlphaSeb,

Greetings!!

Thank you for sharing the detailed information regarding the issue.

To help us narrow down accurately, we kindly request you to perform the following steps:

• Provision the endpoint in CCM mode without WPA2-PSK and share the ECT log from the endpoint. This will help us determine whether the CIRA tunnel is being established correctly between the AMT and the Swarm server.
• If provisioning in CCM mode is successful, please proceed to provision the endpoint in ACM mode without WPA2-PSK and again share the ECT log of the endpoint.
• If ACM provisioning fails, we may need to review the certificate configuration. In that case, please also share a screenshot of the certificate settings from the Intel® EMA console.

These details will significantly aid our investigation and help us move forward with a resolution.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro

I might add that as soon as I enable:

I have this error in the log:

2025-08-07 21:02:21.0502|WARN||9116|89|SetWirelessUefiWiFiProfileShareEnabledOption - MeshManageabilityServer.code.AmtSetup.WirelessManager, EMAManageabilityServer, Version=1.14.3.0, Culture=neutral, PublicKeyToken=57d11e903ea1ca2c - [1] - Unable to set UEFIWiFiProfileShareEnabled to True. : (ATPC-8KM59Y3,342CFF7D).
Exception Level(0):WSManFault.Code: a:Sender WSManFault.SubCode: e:UnsupportedFeature
StackTrace Level(0): at Intel.Manageability.WSManagement.DotNetWSManClient.WSManSendReceive(Header header, XmlElement[] bodyIn, XmlElement[]& bodyOut)
at Intel.Manageability.WSManagement.DotNetWSManClient.Put(Uri resourceUri, XmlElement content, IEnumerable`1 selectors)
at ManageabilityStack.AmtWireless.SetupUefiWiFiProfileShareEnabledOption(Boolean enabled)
at MeshManageabilityServer.code.AmtSetup.WirelessManager.SetWirelessUefiWiFiProfileShareEnabledOption(Boolean enabled)

However: Provisioning still completes without an error.

Could you please confirm, that this setting is not needed? If it is needed, how do I get this to work?

Can you confirm that .eu Domains are working? I found this, and now I'm not sure if this is the root cause:

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

Client shows:

*** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

CCM

Logs attached

CIRA now shows as "Connecting..." but no success.

Network issue?
.tld issue?

Edit: After a few mins it goes to:

** CIRA Information ***
CIRA Server: Not Found
CIRA Connection Status: NOT_CONNECTED
CIRA Connection Trigger: USER_INITIATED

Hello AlphaSeb,

Greetings!!

Thank you for the update.

As CIRA should be able to connect in CCM mode, we recommend the following steps to help resolve the issue:

• Update the BIOS and ME (Management Engine) driver to the latest versions provided by your OEM (Dell).
• Stop the current provisioning, then reprovision the endpoint. After reprovisioning, restart the endpoint and wait for about 5 minutes. Observe the behavior and share your findings with us.
• After completing the above steps, we kindly request you to share the latest ECT log from the endpoint for further analysis.

These steps will help us narrow down the issue and proceed accordingly.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro

Did all that.  Logs attached, nothing changed.

When checking the server on port 8080, it is showing the built-in cert. Should it not report my PKI cert?

openssl s_client -connect ema.alphatrains.eu:8080 -showcerts
Connecting to 52.233.167.88
CONNECTED(000001F8)
depth=0 O=Mesh, CN=ema.alphatrains.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O=Mesh, CN=ema.alphatrains.eu
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O=Mesh, CN=ema.alphatrains.eu
verify return:1
---
Certificate chain
0 s:O=Mesh, CN=ema.alphatrains.eu
i:O=Mesh, CN=MeshRoot-2F3F9B97
a:PKEY: RSA, 2048 (bit); sigalg: sha384WithRSAEncryption
v:NotBefore: Aug 6 09:50:26 2025 GMT; NotAfter: Aug 1 09:50:56 2045 GMT
-----BEGIN CERTIFICATE-----
MIIEEzCCAnugAwIBAgIVAOZyA/Q8AKtuuCu9bz/tL1DFxpmZMA0GCSqGSIb3DQEB
DAUAMCsxDTALBgNVBAoMBE1lc2gxGjAYBgNVBAMMEU1lc2hSb290LTJGM0Y5Qjk3
MB4XDTI1MDgwNjA5NTAyNloXDTQ1MDgwMTA5NTA1NlowLDENMAsGA1UECgwETWVz
aDEbMBkGA1UEAwwSZW1hLmFscGhhdHJhaW5zLmV1MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArfQKAb7O8bVd2XnLBDf0jywTO7PLWIvbGlf5+97m6wJ+
A5OGVODbr9eRHRlOLWucchzJ+VF95ABZT4MVh0Xf1vqs1kY78pD0Lww4U6VKA+gW
mslUmGyqDsx6ZEnBo6wheMCrRuG4MDxkVCzQuWTOrljMDgy8OuUVzcfXkzXWcgA9
Lbg/SKhaNPjPSJHg+46LyWOPCs7D7whF69ogRTuGF5d7nqF0wYh02lZKkYgxcDnC
NMbD3Os97OFtEhxae215nQaHPlsWiD25Gof4meVw3uaS4hg5Fa0tkY9PosTxRdTA
Is7Su8cDrM2zJdDR+vrmdI/p8ewvza+KWFioGShpxwIDAQABo4GsMIGpMGYGA1Ud
IwRfMF2AFIxdJfgG8FWNskbPA6ys6TAG0u7GoS+kLTArMQ0wCwYDVQQKDARNZXNo
MRowGAYDVQQDDBFNZXNoUm9vdC0yRjNGOUI5N4IUd3/1/BT8QprUELQM2x9U60SK
2YwwHQYDVR0OBBYEFAB0EEU9kP81TFp38JBuG5dVsGvvMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQwFAAOCAYEAk8XHEWk3COwO
HHIfUbYAuUGA4lyK52TU3pi0bucnhccSsVLFzywhnMx0txDdkrgaODUzcIiCpUn0
OsiILgyZiwOxoUJjVvuciqyTdb3g97NJIx1Pf6LgWBW96K5aS9G+YQSlReGggfu+
7bGos/9/ZBD7NE/NuUcQ3m2MLyeSpjlBdGVhYwH76HmNZyo+/3te+6A/FAcv49nA
Upj8sPboGPIWm2yBQmIBSmc6L3dbjU0crRMzOuD2HvYbF93Nem/XG+cu/nkOBL7q
bNwVefrV/fPxsdpKn+iiEL0ZjQI0LEkmI8Rl5mgvDzHum4EMTXyprDbkxHfuwB/v
my+b9S/3tsC2l/PY9fo5I9u7Zz8vFd1P985hAC0dveghuLN5h5YPlNvZ3mX4Pvp4
g2A+jGw2bJTnYUJL8Eyi/nNYkYf/QPLo+FQw8O3VTeYQAboAgPap9CmbOtbGtF1f
m+u9Qv1qK+l44x00AQHyGxdK09OVz+qYOU0CK1kMrEGQG0p4rcSY
-----END CERTIFICATE-----
---
Server certificate
subject=O=Mesh, CN=ema.alphatrains.eu
issuer=O=Mesh, CN=MeshRoot-2F3F9B97
---
No client certificate CA names sent
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 1716 bytes and written 2041 bytes
Verification error: unable to verify the first certificate

Hello AlphaSeb,

Greetings!!

Thank you for sharing your observation.

We note that you are seeing a built-in certificate (MESH Root Cert) on port 8080, which is the internal certificate triggered by Intel® EMA to establish a CIRA tunnel. The PKI DNS suffix that you have manually provisioned in Mebx shows (alphatrains.eu), where “.eu” is not a supported domain in Intel® AMT.

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

Kindly refer to the link below for the list of supported domains when purchasing a certificate:

Please also share a screenshot from the Settings tab in the Intel® EMA console under the Tenant Admin login. For reference, please see:

https://www.intel.com/content/www/us/en/support/articles/000055009/technologies.html

Additional reference links:

• Certificate Root Hash details: https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fintelamtandsecurityconsiderations1.htm
• OID Details: https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

Based on the details shared, the new ECT log still shows an outdated BIOS and ME driver version. As a best practice, we recommend updating them using the links below:

• BIOS: https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=2v9mf
• Intel® ME Driver: https://www.intel.com/content/www/us/en/download/682431/intel-management-engine-drivers-for-windows-10-and-windows-11.html

Please let us know if you have any questions.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro

Dear Vishal,

after revising my config, reinstalling the certs, creating a new USB-Stick etc.

I got it working like this now:

• CIRAconnected
• Admin Control Mode
• Provisioning completed
• WiFi Profiles installed

• KVM via AMT, without consent works as expected, when the OS is online
• KVM via AMT does NOT work, when the OS is offline. e.g. "Reset to BIOS"  - the device resets, and is showing the BIOS but I can't connect anymore
• CIRA is "Not connected" when the device is Out of Band
• CIRA is only connected when the device is In-Band

I went through all the hoops to make this software working, and now the most important part seems not to work? In my other topic I was told, that Out of Band Management only works when you purchased a certificate and provision devices in ACM mode.

Well, thats what I did now - and it still does not work?!

I have Dell Laptops with vPro Certification, so I'd expect this to work?

Re your message:

• The BIOS you linked is older than the BIOS I have installed (I have the latest BIOS: 1.22.0)
• I have installed the latest Management Engine Drivers from the Dell Support but have installed yours now. That surely won't fix my problem.
• Why does ACM and CIRA work In-Band, if my ".eu" tld is the problem?

Attached a new log

Is what I want to achieve feasible at all?

Hello AlphaSeb,

Greetings!!

The reason you can provision your endpoint with Intel EMA over CIRA using in-band but not connect via out-of-band (OOB) is due to how PKI DNS Suffix and server certificate validation operate with Intel AMT. The .eu domain is not a supported top-level domain (TLD) in the AMT firmware/SDK for PKI-based out-of-band provisioning, so OOB provisioning fails, but in-band connectivity with CIRA still works, please find the same in the reference link given below:

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fpkicertificateverificationmethods.htm

Essential context and details:

 AMT PKI Provisioning depends on a match between the provisioning certificate's Common Name (CN) or Subject Alternative Name and the PKI DNS Suffix stored in Intel AMT (from DHCP Option 15 or manual setting in MEBx).

Intel AMT firmware has hardcoded support for specific public TLDs in its PKI verification logic. Some TLDs (such as .eu) are not recognized as valid for PKI provisioning, so attempts to provision OOB using certificates with unsupported TLDs fail.

When you use in-band CIRA connection, the Intel EMA agent running within the OS brokers this connection. This enables provisioning even if the PKI DNS Suffix is not validated out-of-band, bypassing the firmware's strict TLD check.

For out-of-band connections (such as from the powered-off state), AMT must validate the PKI chain and DNS suffix itself, which fails if the TLD is not supported.

The only workaround is to use a PKI DNS suffix and EMA server DNS name with a supported TLD (.com, .net, .org, etc.), or continue provisioning only in-band with the current configuration.

Additional note:

 Physical touch provisioning (setting the correct DNS Suffix in MEBx by hand), or choosing a compliant DNS suffix, is required for real OOB capabilities using PKI.

https://www.intel.com/content/www/us/en/support/articles/000058945/software/manageability-products.html

Additionally, we would recommend a AMT provisioning certificate with the AMT OID 2.16.840.1.113741.1.2.3.

In summary: In-band CIRA with the EMA agent works around this TLD limitation, but AMT firmware itself cannot complete OOB PKI provisioning if the suffix ends in .eu, as this is unsupported by the firmware's validation logic.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro

Thanks for the explanation, I will go ahead and speak with Digicert, if they can revoke this cert, and give me a new one with our .com Domain.

I will then go ahead, try it again, with .com Domain, and report back here.

Hello AlphaSeb,

Greetings!!

Thank you for sharing the details. Please proceed as planned, and once you have the new certificate with the .com domain, kindly try again and revert back to us with the results.

Please let us know if you need any assistance, and feel free to revert back to us at any time.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro

I have the certificate with .com tld now.

• Adjusted Entra ID login
• Adjusted Managebility Server FQDN
• WebServer FQDN
• Allowed Domains

• Uploaded the certs (PFX with password, and whole chain)
• Changed AMT AutoSetup Profile to use new Cert

• Restarted the whole server
• Recreated the USBStick with USBFile
• Uninstalled Agent
• Ran "C:\Program Files (x86)\Intel\EMAConfigTool\EMAConfigTool.exe" --unconfigure
• Went into F12>Intel Management Extension>Disable
• Rebooted
• Went into F12>Intel Management Extension>Enable
• Put the USB-Stick in, rebooted
• Applied config
• Reinstalled Agent

Even though CIRA was connected before (in ACM, but over the Agent, like you said) it's now "Not connected"

• Platform Manager didn't work anymore, so 
• Went here C:\Program Files (x86)\Intel\Platform Manager\Platform Manager Server
• Updated settings.txt with new UPN
• Logged in, works
• Console still showing this weird MeshRoot, I'd expect it to show my PKI Cert??
• 

   

• Confirmed with OpenSSL (see attached)
• Confirmed with EMAConfigTool (see attached)

If I can't get this to work this week, the next laptops were gonna buy as a company are going to be AMD. I'm so annoyed by this user-unfriendly software and cumbersome process.

Some more MeshCommander Screenshots:

Hello AlphaSeb,

Greetings!!

Thank you for changing to the supported certificate domain, as per the Intel document.

Please proceed to add the PKI DNS suffix in the MEBx settings by following the steps outlined in the article below:

https://www.intel.com/content/www/us/en/support/articles/000058945/software/manageability-products.html

Once completed, kindly share with us the latest ECT logs of the endpoint, so we can verify the configuration.

With that, also share us the screenshot from the Certificate tab as shown in the reference image below. You can access this by navigating to:

Manage User Certificates → Personal → Certificates → Select the certificate in question → Details

Please let us know if you need any assistance, and feel free to revert back to us at any time.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro

Dear Vishal,

1) PKI DNS Suffix has been added, using the USBFile (setup.bin) + USB Stick method. The client log I have attached yesterday, so that should be visible to you:

2) Screenshot of the certificate installed in Computer/User Personal Store

The very same cert, is also installed here and detected as PKI Cert.

Would it possible to have a call during German business hours? This back and forth here is quite time consuming.

Hello AlphaSeb,

Greetings!!

Thank you for providing the details.

Please ensure the endpoint is physically accessible and the EMA server setup is available.

For further analysis, we request that you share the complete ECT log, as the one provided appears to be only a partial screenshot.

Intel® EMA Configuration Tool (ECT) Logs:

1. Download the tool from the following link: Intel® EMA Configuration Tool
2. Installation:

• Download and unzip the tool.
• Double-click the .msi file and follow the installation prompts.

1. Run the Tool:
2. a. Open a command prompt as an administrator (or use Windows PowerShell*).
3. b. Navigate to the installation folder (default: C:\Program Files (x86)\Intel\EMAConfigTool).
4. c. Run the following command:
5. EMAConfigTool.exe --verbose

In the meantime, we will review the meeting schedule and coordinate with our internal team.

Best Regards,

Vishal Shet P

Intel Customer Support Technician

intel.com/vpro